When we initially implemented support for robustcheckout, we didn't
have the magic "%include" syntax in Dockerfiles. So we used tooltool
to download robustcheckout.py to the image.
Now that we have nice things, we can use the vendored robustcheckout.py
file.
As part of this, I realized we're inconsistently using /tmp, /setup
and /build for files used during image building. That should probably
be cleaned up. I'd rather not bloat scope for this bug, however.
MozReview-Commit-ID: D99Gcdw1DId
Python processes with a TTY have stdout line buffered by default.
Python processes without a TTY have buffered output.
Mercurial inherits whatever Python's output buffering behavior is.
This means if we invoke Mercurial without a TTY, stdout and stderr
will be fully buffered. This means output may not be sent until
there is enough output to flush the output buffer.
A consequence of this is that timings reported for `hg` commands
invoked by run-task are inaccurate. In addition, output order is
incorrect. This is because Mercurial's progress indicators print
to stderr and flush when written. This means stderr output is
getting seen by run-task but stdout remains buffered.
This commit forces Python/Mercurial to not buffer stderr and stdout
by setting the PYTHONUNBUFFERED=1 environment variable.
MozReview-Commit-ID: 7lMdrjRMBqz
The Python code is now intelligent enough to add this flag on the
command line if supported. Eliminate the copy pasta and help prevent
cargo culting.
MozReview-Commit-ID: H4rbjbbgtRd
install-mercurial.sh was switching directories to /usr/local/mercurial
resulting in following actions adding files to that path. We don't
want that. So avoid the `cd` in install-mercurial.sh.
The main side effect of this change is that the desktop-test image is
now ~1.2 GB smaller because files aren't being saved to
/usr/local/mercurial.
MozReview-Commit-ID: Kyv8oXtvsda
The only difference in these files was the order that pulseaudio is
started and whether compiz is started. We rename test-ubuntu1604.sh
to test-ubuntu.sh, add some distro release detection, and add
some conditional branches so it works on both Ubuntu 12.04 and 16.04.
MozReview-Commit-ID: CaSfuDxss3d
We can't add it to the base image because rebuilding the base image
breaks Valgrind due to non-deterministic package version installation
(read the bug for the ugly backstory).
MozReview-Commit-ID: ARKJZfNCRFc
The only difference in these files was the order that pulseaudio is
started and whether compiz is started. We rename test-ubuntu1604.sh
to test-ubuntu.sh, add some distro release detection, and add
some conditional branches so it works on both Ubuntu 12.04 and 16.04.
MozReview-Commit-ID: CaSfuDxss3d
Previously, when recursively changing ownership on directories we would
only change the owner. We saw some permission denied failures in
automation where the new owner couldn't modify files or directories.
This *might* be due to the owner write bits not always being set. Or
it could be something else (such as a filesystem bug - *cough* AUFS
*cough*).
This commit changes our recursive chown implementation to ensure owner
read, write, and execute bits are set on directories.
Because we're now always calling stat(), the code for calling chown()
is made conditional because we have the stat information and can avoid
the extra system call if it would be a no-op.
MozReview-Commit-ID: JT9q3QR4Sit
This commit does a few things. First, it introduces a property on the
"test_description" schema that, if defined, will cause run-task to
perform a gecko checkout. The presence of the property also configures
the needed scopes and caches.
Second, we introduce the property on web platform test tasks so a
Gecko checkout is present. We also add volumes for the Mercurial
paths to the Docker images. We strictly only need this for
desktop1604-test since WPT tests don't run on desktop-test. However,
desktop-test and desktop1604-test are nearly mirror images of each
other and I feel it is best to keep them in sync.
This commit will make WPT tasks slower on average because they will
need to create a checkout. To add salt to the wound, the checkout
isn't used. However, we need to prove that performing checkouts in
test tasks in automation works at scale. I'd prefer to have this running
for a few weeks and incurring a wall time execution penalty than to
have a giant series of commits backed out because source checkouts
aren't working.
MozReview-Commit-ID: 9UrSWSSmr3w
Before, test.sh (duplicated between the desktop-test and
desktop1604-test images) was dropping permissions, creating a workspace,
and executing test-linux.sh. This is functionality now provided by
run-task.
So, convert the test tasks to use run-task.
It's worth noting that creating the workspace directory is no longer
necessary because it is defined as a VOLUME in the Dockerfile or a
cache in some task configurations. However, it is default owned by
root:root, so we do need to instruct run-task to chown it.
Since the test.sh files are no longer used after this change, they have
been deleted. The desktop-test image no longer has any files in the
bin/ directory, so the Dockerfile entry to copy those files has been
removed.
MozReview-Commit-ID: 1BiskrMs6xW
It is common for tasks to chown paths before permissions are dropped
from root:root. This commonly occurs when Docker volumes/caches are
involved since they are default owned by root:root and not writable
by any other user.
Since this will likely be a common request, add the functionality to
run-task.
MozReview-Commit-ID: AHmSfY5Ce0S
We just upgraded our run-time environment to Mercurial 3.9.
3.9 features a new [hostsecurity] config section and allows certificate
fingerprints to be defined using SHA-256 hashes (not just SHA-1).
A TaskCluster secret with the Mercurial 3.9 fingerprint format has
been added. This commit takes advantage of it.
MozReview-Commit-ID: 5NwJl9zOse2
We just upgraded our run-time environment to Mercurial 3.9.
3.9 features a new [hostsecurity] config section and allows certificate
fingerprints to be defined using SHA-256 hashes (not just SHA-1).
A TaskCluster secret with the Mercurial 3.9 fingerprint format has
been added. This commit takes advantage of it.
MozReview-Commit-ID: 5NwJl9zOse2
We just upgraded our run-time environment to Mercurial 3.9.
3.9 features a new [hostsecurity] config section and allows certificate
fingerprints to be defined using SHA-256 hashes (not just SHA-1).
A TaskCluster secret with the Mercurial 3.9 fingerprint format has
been added. This commit takes advantage of it.
MozReview-Commit-ID: 5NwJl9zOse2
curl and jq were previously used to fetch and parse the TC secret.
We now use Python for that. So remove the unused packages.
This reduces the Docker image size by ~10MB.
MozReview-Commit-ID: Nl7fC1aG7w
Mercurial 3.9 changes the default security settings to make Mercurial
secure by default. It is important for Firefox's automation to be
secure.
MozReview-Commit-ID: IF7Z74111hI
When I wrote this initially, I was told it was not possible to inherit
from desktop-build. That may have changed, but I still don't know how
to inherit, so we duplicate the logic here, inviting bugs of this
class. The underlying logic moves slowly so this is an acceptable
approach.
MozReview-Commit-ID: AsWdbp0QK5K
Sometimes xvfb will not start up with the current retry/delay settings. This will
attempt to retry more and delay for longer to ensure xvfb has started up. Common
pieces of this have been factored out into a recipe that all docker images can schare
that need this functionality.
MozReview-Commit-ID: BTXkJkBWLZX
Before, test.sh (duplicated between the desktop-test and
desktop1604-test images) was dropping permissions, creating a workspace,
and executing test-linux.sh. This is functionality now provided by
run-task.
So, convert the test tasks to use run-task.
It's worth noting that creating the workspace directory is no longer
necessary because it is defined as a VOLUME in the Dockerfile or a
cache in some task configurations. However, it is default owned by
root:root, so we do need to instruct run-task to chown it.
Since the test.sh files are no longer used after this change, they have
been deleted. The desktop-test image no longer has any files in the
bin/ directory, so the Dockerfile entry to copy those files has been
removed.
MozReview-Commit-ID: 1BiskrMs6xW
It is common for tasks to chown paths before permissions are dropped
from root:root. This commonly occurs when Docker volumes/caches are
involved since they are default owned by root:root and not writable
by any other user.
Since this will likely be a common request, add the functionality to
run-task.
MozReview-Commit-ID: AHmSfY5Ce0S
Sometimes xvfb will not start up with the current retry/delay settings. This will
attempt to retry more and delay for longer to ensure xvfb has started up. Common
pieces of this have been factored out into a recipe that all docker images can schare
that need this functionality.
MozReview-Commit-ID: 2ww0eT3cIt6
Before, test.sh (duplicated between the desktop-test and
desktop1604-test images) was dropping permissions, creating a workspace,
and executing test-linux.sh. This is functionality now provided by
run-task.
So, convert the test tasks to use run-task.
One thing run-task isn't doing is created the workspace. So this
functionality has been moved into test-ubuntu1204.sh and
test-ubuntu1604.sh.
Since the test.sh files are no longer used after this change, they have
been deleted. The desktop-test image no longer has any files in the
bin/ directory, so the Dockerfile entry to copy those files has been
removed.
MozReview-Commit-ID: 1BiskrMs6xW
Before, we `curl`d these files at task run time. Why, I'm not sure.
Probably the easiest way to do things before we could add files outside
the directory of the Dockerfile to the image build context. Since that
is no longer a restriction, we just include the file as part of the
built image.
This does mean we rebuild the Docker image if the scripts change. I'm
fine with that.
It's worth noting that both test.sh files look very similar. I
anticipate consolidation in the future...
MozReview-Commit-ID: 48dinmxy6G0
Without this, we potentially mix unicode literals and str and have
implicit type coercion, leading to UnicodeDecodeError or some such.
Oh, the joys of Python.
MozReview-Commit-ID: IeXRjs5Fnj7
Before, test.sh (duplicated between the desktop-test and
desktop1604-test images) was dropping permissions, creating a workspace,
and executing test-linux.sh. This is functionality now provided by
run-task.
So, convert the test tasks to use run-task.
One thing run-task isn't doing is created the workspace. So this
functionality has been moved into test-ubuntu1204.sh and
test-ubuntu1604.sh.
Since the test.sh files are no longer used after this change, they have
been deleted. The desktop-test image no longer has any files in the
bin/ directory, so the Dockerfile entry to copy those files has been
removed.
MozReview-Commit-ID: 1BiskrMs6xW
Before, we `curl`d these files at task run time. Why, I'm not sure.
Probably the easiest way to do things before we could add files outside
the directory of the Dockerfile to the image build context. Since that
is no longer a restriction, we just include the file as part of the
built image.
This does mean we rebuild the Docker image if the scripts change. I'm
fine with that.
It's worth noting that both test.sh files look very similar. I
anticipate consolidation in the future...
MozReview-Commit-ID: 48dinmxy6G0
This effectively reverts the change in 2f0d6ea822b5 (bug 1163057)
to own the files by root:root. Since that change landed, we su
to the "worker" user early during task startup. So there is no more
need to have /home/worker owned by root:root.
MozReview-Commit-ID: 77q9APiDKpb
The install-mercurial.sh script takes care of installing a global hgrc.
If we want Mercurial settings, that's where they should be defined.
A number of Docker images had redundantly maintained versions of
/home/worker/.hgrc. We've deleted some instances of these hgrc files
because I thought they were cargo culted. It turns out that the config
was added to support one-click loaners (see bug 1250904).
Since there is little harm in enabling extensions globally, we just do
that in the shared install-mercurial.sh script and do away with the
custom hgrc.
It's worth noting that the CA path defined in the custom hgrc is not
needed because the Mercurial package installed by install-mercurial.sh
configures this correctly.
MozReview-Commit-ID: bk4ek99X4z
We're giving the same treatment to the Ubuntu 12.04 test image that we
did to the Ubuntu 16.04 image in bug 1293686.
As of this commit, the image can be fully regenerated from changes in
tree: no Docker Hub pushes necessary.
A downside is would could get bit by lack of determinism in image
building. But that's already a problem.
Since the ubuntu1204-test and ubuntu1204-test-upd images are no longer
used, they have been deleted.
MozReview-Commit-ID: 55DwqHOmVM5
The decision task now uses robustcheckout to get the latest mercurial state.
However, robustcheckout also enforces that the revision it's passed is
actually a revision hash, and not a symbolic name. This will use the --branch
option of robustcheckout if GECKO_HEAD_REF is defined and will use `hg log` to
fill in GECKO_HEAD_REF.
MozReview-Commit-ID: LJikceW4YVg
The code from the base ubuntu1604-test image has been moved to
the desktop1604-test image. Since ubuntu1604-test is no longer
referenced, we remove it.
With this change, the desktop1604-test Docker image no longer
requires a push to the Docker Hub when updating: it is updated fully
within TaskCluster.
This will result in more image transfers in automation and to
developer machines. But we do gain a lot of convenience updating
the images.
MozReview-Commit-ID: GRpPOfs6pn3
In preparation for removing the ubuntu1604-test base image. We also
change the script's location in the image to /setup because that's the
path we use in most images.
MozReview-Commit-ID: CvjTO8hmIkW
Pinning these packages breaks Ubuntu package management because
other packages we install explicitly require a newer version.
Attempting to pin these results in packages getting removed or refusal
to install.
MozReview-Commit-ID: AhQbjavCKI1
As bug 1291940 shows, aufs can be a real performance drag.
Most performance critical paths in containers are caches. This allows
the use of the host filesystem (instead of aufs), which is much faster
under load.
Unfortunately, most caches are stripped on Try. This means paths that
would be served from the fast host filesystem are now being handled
by aufs. This can make Try jobs slower than non-Try jobs.
This commit declares Docker volumes for popular cache paths. If the
cache is present, the cache takes precedence over the declared volume.
If the cache isn't present, Docker falls back to an empty volume that's
used for the task and only the task.
It's worth noting that desktop-build is updated redundantly with
centos6-build. We currently can't rebuild centos6-build because of
a determinism issue (bug 1272629) breaking valgrind. So, I work around
this by declaring the volume in the top-most "desktop-build" layer.
This hack can be removed once we merge the images.
MozReview-Commit-ID: 7JtxAfI7ED5
